Device Security Must Be Top of Mind for Providers During a Windows 10 Migration

Mitch Parker is the Executive Director, Information Security and Compliance at Indiana University Health.

The end of support for Windows 7 represents the end of an era for Microsoft operating systems. It is the last in a line of systems that provided excellent legacy support for applications, as its default version was 32-bit like its predecessors and still supported 16-bit applications from Windows 3.1 days. This meant you could run older applications on a supported OS while concurrently running the most recent ones. Windows 10 changes that, as it is 64-bit by default, meaning that many legacy applications won’t run.

At the same time Microsoft is ­removing support for older versions of Windows, newer versions of Wi-Fi — 802.11ax (Wi-Fi 6) and 802.11ay — are emerging. Wi-Fi 6 is being deployed in production environments, but Windows 7 devices will generally not be able to support these protocols. This is also significant since Microsoft is co-terming the end of support of Windows 7 and Server 2008 in January 2020, as well as SQL Server 2008 and 2008 R2 on July 9, 2019.

What this means is that both desktops and a large amount of server infrastructure will be affected. Windows 7’s end of life has massive implications for healthcare organizations, many of which haven’t updated their supporting infrastructure for medical devices due to longer device and vendor lifecycles. Healthcare organizations just can’t afford to rip and replace their older devices and servers with new ones at the same time. Complicating matters, a number of medical device manufacturers continue to ship devices that have computers running Windows 7 as part of their installations.

Isolate and Segment Data from Legacy Systems

Providers who have yet to take action need a plan to address these issues while continuing to reduce risks and protect patients and their data.

One of the primary steps organizations can take is to isolate and segment legacy Windows 7, Server 2008 and older devices so they do not communicate with the rest of the network unless absolutely necessary. Network isolation and segmentation protect both legacy devices and the rest of the world.

As the WannaCry attack showed, it is very easy for infected machines to reach out and try to affect numerous others. The main method WannaCry used to propagate was to exploit a vulnerability in the Server Message Block version 1.0 file sharing protocol. This protocol was introduced in Windows for Workgroups version 3.11 in 1992, and was the default protocol until version 2.0 was introduced with Windows Vista and Server 2008 in 2006.

WannaCry is an example of why it is important to turn off legacy protocol support using Group Policy whenever possible for the remaining devices on the main, nonisolated networks. Windows 10 and Server 2016 and up support the latest version of SMB version 3.1.1. Enforcing this will reduce the overall attack surface and prevent older infected machines from affecting the newer ones running Windows 10.

Segmentation also reduces the attack surface and is effective at preventing attackers from probing and pivoting across the network. A combination of virtual LANs and firewall rules can help even the smallest office isolate legacy components.

To reduce exposure, provider organizations should also develop solutions to run applications that cannot be updated to newer versions of Windows remotely. It’s possible to run these applications on an isolated environment and use a tool like Microsoft RemoteApp to display them on newer PCs. RemoteApp is part of the Windows server environment and provides a window people can use to access legacy applications while running the vulnerable environment behind an isolated network segment.This allows organizations to keep a legacy environment with older applications and still use them until they have a plan to upgrade while reducing overall exposure.

Migrate to Windows 10 on a Schedule

Having a plan to address upgrades at a pace the business can handle is absolutely critical. There will always be customers who ask for a legacy device or application; unless there is a compelling business need that executives, the legal team or information systems leadership identifies, these requests should be denied. Even if they are approved, these devices need to be isolated from the rest of the network to reduce the risk to everyone else.

Instead, when possible, harden ­current Windows 10 devices and the ­supporting server and directory services infrastructures to reduce the use of legacy network protocols. Realize, though, that as a legacy environment ages, upgrading everything running Windows 7, Server 2008 or older systems all at once can be very cost prohibitive. Develop operational plans to keep those environments reasonably current, budgeting for periodic updates and upgrades.

The end of the Windows 7 era represents a break from the past for Microsoft and its customers. It will take a long time for healthcare organizations to migrate away from Windows 7, but with the right path forward, legacy environments can be isolated and the current environment can be hardened and upgraded.

The end goal of protecting the patient starts with the first step down this path.